Achraf Ben Alaya
No Result
View All Result
  • News
  • Blog
    • blazor
    • c#
    • Cloud
      • Azure
    • docker
    • sql
    • xamarin
    • Dapr
    • Tricks, Tips and Fixes
  • Cloud
  • Motivation
  • General Tips & Fix
  • Exam Preparation
    • AZ-104
    • AZ-400
  • About
    • Resume
SUBSCRIBE
  • News
  • Blog
    • blazor
    • c#
    • Cloud
      • Azure
    • docker
    • sql
    • xamarin
    • Dapr
    • Tricks, Tips and Fixes
  • Cloud
  • Motivation
  • General Tips & Fix
  • Exam Preparation
    • AZ-104
    • AZ-400
  • About
    • Resume
No Result
View All Result
Achraf Ben Alaya
No Result
View All Result
ADVERTISEMENT
Home Blog Cloud Azure

Azure Policy for governance

achraf by achraf
August 29, 2020
in Azure, Blog, Cloud
6 min read
0
Azure Policy for governance
0
SHARES
596
VIEWS
Share on FacebookShare on Twitter

When first I haerd about azure Governance a lot come to my mind and I had a lot of ideas ,what do they mean ? and what is Governance in the cloud, until I found this simple definition :

Governance refers to the ongoing process of managing, monitoring, and auditing the use of Azure resources

So Governance in azure mean managing resource organisation and security ,auditing and monitoring cost , or we can say too “Putting the Right Controls in Place to Ensure Your Company Reaps the Rewards of Cloud Migration”

To create a plan for Azure cloud governance, it is important to have a detailed understanding of the current people resources, processes and technology frameworks used .

So we need to manage (subscriptions,managment groups,resource groups) apply a couple of security rules for (acces control,resource locks and policies) ,audit activities and azure alerts and monitor azure cost .

In this blog post we are going to see what is Azure Policy ,how to create a couple of policies ,reasons and how to apply them .

so let’s start .

 

what are azure policies ?

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Policy meets this need by evaluating your resources for non-compliance with assigned policies. All data stored by Azure Policy is encrypted at rest.

For example, you can have a policy to allow only a certain SKU size of virtual machines in your environment. Once this policy is implemented, new and existing resources are evaluated for compliance. With the right type of policy, existing resources can be brought into compliance.

Policy definition :

To implement/apply a policy in Azure Policy we need to start by creating a policy definition .

Policy definitions describe resource compliance conditions and the effect to take if a condition is met.

So ,a policy provides control and governance over the resources themselves (i.e. restricting which geographies and regions a virtual machine can be deployed to, or what SKU of virtual machines can be deployed).  You can create these policies, and then apply them to a Management Group, Subscription, or a Resource Group.

Conditions :

A condition evaluates whether a field or the value accessor meets certain criteria and we are going to take effect or decision depend on that condition . The supported conditions are :

>"equals": "stringValue"   .
>"notEquals": "stringValue"
>"like": "stringValue"
>"notLike": "stringValue"
>"match": "stringValue"
>"matchInsensitively": "stringValue"
>"notMatch": "stringValue"
>"notMatchInsensitively": "stringValue"
>"contains": "stringValue"
>"notContains": "stringValue"
>"in": ["stringValue1","stringValue2"]
>"notIn": ["stringValue1","stringValue2"]
>"containsKey": "keyName"
>"notContainsKey": "keyName"
>"less": "value"
>"lessOrEquals": "value"
>"greater": "value"
>"greaterOrEquals": "value"
>"exists": "bool"

You can read more here https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure

Effect :

Depends on the condition that we are going to write , we are going to take effect , the available effects are :

Append: adds the defined set of fields to the request
Audit: generates a warning event in activity log but doesn't fail the request
AuditIfNotExists: generates a warning event in activity log if a related resource doesn't exist
Deny: generates an event in the activity log and fails the request
DeployIfNotExists: deploys a related resource if it doesn't already exist
Disabled: doesn't evaluate resources for compliance to the policy rule
EnforceOPAConstraint (preview): configures the Open Policy Agent admissions controller with Gatekeeper v3 for self-managed Kubernetes clusters on Azure (preview)
EnforceRegoPolicy (preview): configures the Open Policy Agent admissions controller with Gatekeeper v2 in Azure Kubernetes Service
Modify: adds, updates, or removes the defined tags from a resource .

More details you can read here . https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects

So let’s start by writing some policies .

Policy 1 Allowed locations for resource group:

Let’s say you have a rule on your company that the created resource groups must be only created in france ,how to define this policy ? :

{
    "mode": "All",
    "policyRule": {
        "if": {
        "allOf": [
            {
            "field": "type",
            "in": [
                "Microsoft.Resources/subscriptions/resourceGroups"
            ]
            },
            {
            "not": {
                "field": "location",
                "in": "[parameters('allowedLocations')]"
            }
            }
        ]
        },
        "then": {
        "effect": "deny"
        }
    },
    "parameters": {
        "allowedLocations": {
        "type": "Array",
        "metadata": {
            "displayName": "Allowed locations",
            "description": "Allowed locations for resource groups-demo",
            "strongType": "location"
        }
        }
    }
    }

 

Steps :

Policy 2 Allowed locations for websites:

{
"mode": "All",
"policyRule": {
    "if": {
    "allOf": [
        {
        "field": "type",
        "in": [
            "Microsoft.Web/sites"
        ]
        },
        {
        "not": {
            "field": "location",
            "in": "[parameters('allowedLocations')]"
        }
        }
    ]
    },
    "then": {
    "effect": "deny"
    }
},
"parameters": {
    "allowedLocations": {
    "type": "Array",
    "metadata": {
        "displayName": "Allowed locations",
        "description": "Allowed locations for Websites",
        "strongType": "location"
    }
    }
}
}

 

If you try to create a website in a different region , you will be denied and get this error .

 

NAMING POLICY

Many forget about namings their ressources and forget how important it is . But if you have the experience and have created a couple of ressources you will understand the importance of naming conventions . Giving a meaningful name to a ressource will make your life easier ,think about it ,if you have someone created a resource in your production envirmnoment and named it : blackswanWebApp and another one called it topgunwebapp ,so which one is the real app and how you will know ?

So , let’s write a naming convention for virtual machine ,let’s say you want any new virtual machine created must be named like this :

vm-p-sql-vm001 as p for prod and sql is for it’s role and vm001 is the number

so let’s define our policy now :

{
"mode": "All",
"policyRule": {
    "if": {
    "allOf": [
        {
        "field": "type",
        "in": [
            "Microsoft.Compute/virtualMachines",
            "Microsoft.ClassicCompute/virtualMachines"
        ]
        },
        {
        "not": {
            "field": "name",
            "match": "vm-?-???-vm###"
        }
        }
    ]
    },
    "then": {
    "effect": "deny"
    }
},
"parameters": {}
}

naming pictures

If you don’t respect the convention you will get this erro :

Else , it will be valid :

I recommend to start first by creating naming policies ,and test them cause they take time to be applied .

Later you can work on other type of policies .

Microsoft suggests using the following pattern for naming subscriptions: <Department (optional)> <Product Line (optional)>

But you could always define your patterns and keep your abbreviations as short as possible like :

vm for virtual machines ,st for storage , rg for resource groups ..

ps : keep in mind that you can’t rename resource in azure without deleting it and then recreating it with the new name .

Audit :

One of the pre-built policies is :

Latest TLS version should be used in your Web App

{
"properties": {
    "displayName": "Latest TLS version should be used in your Web App",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Upgrade to the latest TLS version",
    "metadata": {
    "version": "1.0.0",
    "category": "App Service"
    },
    "parameters": {
    "effect": {
        "type": "String",
        "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
    }
    },
    "policyRule": {
    "if": {
        "allOf": [
        {
            "field": "type",
            "equals": "Microsoft.Web/sites"
        },
        {
            "field": "kind",
            "like": "app*"
        }
        ]
    },
    "then": {
        "effect": "[parameters('effect')]",
        "details": {
        "type": "Microsoft.Web/sites/config",
        "name": "web",
        "existenceCondition": {
            "field": "Microsoft.Web/sites/config/minTlsVersion",
            "equals": "1.2"
        }
        }
    }
    }
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b"
}

Azure provides some ready made policies out of the box, all you need to do is configure these and apply them to your required scope Samples : https://github.com/Azure/azure-policy/tree/master/samples

ShareTweet
Previous Post

Deploy azure function from Docker Hub CI/CD

Next Post

Azure Tips

Related Posts

Win free certifications at the Microsoft Build Cloud Skills Challenge | May 2022 🎁
Blog

Win free certifications at the Microsoft Build Cloud Skills Challenge | May 2022 🎁

May 28, 2022
22
Generating report for SSL Certificates for Websites with PowerShell
Azure

Generating report for SSL Certificates for Websites with PowerShell

April 10, 2022
104
Win a free certifications at the Microsoft spring skills challenge  🎁
Blog

Win a free certifications at the Microsoft spring skills challenge 🎁

March 20, 2022
291
My Trip to Turkey
Blog

My Trip to Turkey

February 5, 2022
175
Microsoft Ignite Cloud Skills Challenge November 2021 :  Learn…and get rewarded (only 3 days left)

Microsoft Ignite Cloud Skills Challenge November 2021 : Learn…and get rewarded (only 3 days left)

November 27, 2021
200
Tools I use with Database
Blog

Tools I use with Database

November 7, 2021
253
Next Post
Azure Tips

Azure Tips

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Terraform

Certifications

Microsoft certified trainer (MCT)

Recommended

Setting up Serilog in ASP.NET Core

Setting up Serilog in ASP.NET Core

September 15, 2020
1.1k
Azure Policy for governance

Azure Policy for governance

August 29, 2020
596
Auto Post and Schedule Tweets & Linkedin using Azure Logic Apps

Auto Post and Schedule Tweets & Linkedin using Azure Logic Apps

April 14, 2021
343
Microsoft Ignite Cloud Skills Challenge November 2021 :  Learn…and get rewarded (only 3 days left)

Microsoft Ignite Cloud Skills Challenge November 2021 : Learn…and get rewarded (only 3 days left)

November 27, 2021
200
Font Awesome ,Bootstrap and Material Font Icons For Xamarin.Forms

Font Awesome ,Bootstrap and Material Font Icons For Xamarin.Forms

April 26, 2020
459
Azure Automation :  How to create PowerShell Runbook

Azure Automation : How to create PowerShell Runbook

February 4, 2021
484
Facebook Twitter LinkedIn Youtube
Win free certifications at the Microsoft Build Cloud Skills Challenge | May 2022 🎁

Win free certifications at the Microsoft Build Cloud Skills Challenge | May 2022 🎁

May 28, 2022
Generating report for SSL Certificates for Websites with PowerShell

Generating report for SSL Certificates for Websites with PowerShell

April 10, 2022
Win a free certifications at the Microsoft spring skills challenge  🎁

Win a free certifications at the Microsoft spring skills challenge 🎁

March 20, 2022

Categories

  • Apps (1)
  • Azure (35)
  • blazor (2)
  • Blog (59)
  • c# (6)
  • Cloud (34)
  • Dapr (4)
  • docker (2)
  • Games (1)
  • General Tips & Fix (1)
  • motivation (2)
  • Motivation (3)
  • News (9)
  • Resume (1)
  • sql (4)
  • Tricks, Tips and Fixes (3)
  • xamarin (5)
No Result
View All Result
  • News
  • Blog
    • blazor
    • c#
    • Cloud
      • Azure
    • docker
    • sql
    • xamarin
    • Dapr
    • Tricks, Tips and Fixes
  • Cloud
  • Motivation
  • General Tips & Fix
  • Exam Preparation
    • AZ-104
    • AZ-400
  • About
    • Resume